Adobe Experience Manager & Cloud Document Security

How secure is the document security in Adobe Experience Manager & Adobe Document Cloud?

Using Adobe Experience Manager or Adobe Document Cloud to secure sensitive or confidential documents could be a bad idea.  Here’s why, and what you can do about it.

Many enterprises rely on a content management system (CMS) to create, manage, and distribute digital content in a streamlined manner.  The ability to quickly publish and refine digital content gives businesses a competitive edge in the online arena.  But CMSs can also form a key role in a company’s security.  Access control and role-based access, and monitoring features are designed to prevent content from being accessed or modified by those who shouldn’t.  Such is the case with Adobe Experience Manager’s document security.

   What is Adobe Experience Manager (AEM)?

Adobe Experience Manager (AEM) is a content management and digital asset management system offered by Adobe.  It is available as both a cloud service and a self-deployed model. AEM has a particular focus on policy-based security for a wide range of digital content, with support for approaches such as role based access control.

AEM’s document security feature supports both Adobe Acrobat and the Microsoft Office suite.  It also integrates with SharePoint, though not without issue.

How does Adobe Experience Manager document security work?

As mentioned, Adobe security policies are at the core of AEM.  Admins choose confidentiality settings to apply to documents.  These determine whether recipients can print, copy text, edit text, add signatures, comment, etc.  Your Adobe security policies are stored on an AEM document security server, which also performs functions such as user authentication, log recording, and enables Adobe security policy management via a web interface.

  Adobe Acrobat secured documents

How exactly the security is applied to the document depends on its format.  Adobe Experience Manager applies policies to PDF files using Adobe LiveCycle Rights Management ES.  After an author publishes a PDF, they can apply a policy stored on the Adobe Experience Manager Forms Server.  This server generates a license and unique encryption key for the PDF.  The license is embedded in the PDF and encrypted using the aforementioned encryption key.  Adobe Experience Manager additionally allows admins to revoke PDFs and add dynamic watermarks to them.

When the user then tries to open the PDF, they’ll be asked to authenticate their identity by logging into their document security account.  Once they have, the PDF will be decrypted with the permissions in the Adobe security policy applied (determining whether the user can edit, print, etc.).

This sounds better than Acrobat’s usual password/certificate protection, but how much so is questionable.  Ultimately, access to the document is still controlled by a username/password combination, which can be shared.  While yes, admins may be able to implement additional security, such as two-factor authentication and IP address limits, 2FA codes can easily be shared too and IP addresses can be spoofed via a VPN.  This means that an authorized user can likely still give an unauthorized one access to the document without too much trouble.

Then there is the matter of the policy protections themselves.  How does Adobe enforce whether users can print, edit, or copy from a PDF?  Well, at its heart, it uses Adobe LiveCycle Rights Management. There are several drawbacks to LifeCycle Rights Management, including poor support for offline functionality and lack of granular controls.  It is also technically possible to bypass its DRM, according to Elcomsoft.  Though it does not provide the tools to do so for legal reasons, that does not means that hackers will not be able to create or obtain their own.

Perhaps the bigger problem, however, is that Adobe makes no mention of the prevention of screenshots.  Screenshots present a simple way for users to share confidential information with others or even make content editable again via an OCR tool.

  Protection of Microsoft Office files

The protection for Microsoft Office files is handled through an extension/plugin to the application.  Admins can apply an Adobe security policy to an Office file and encrypt it.  This idea is that only users who are recognized by Document Security via an Active Directory list or linked LDAP can open it.  When a user attempts to open an encrypted Word document, the extension connects to the Document Security server to verify if they are authorized to view it and determines which permissions (edit, print, etc.) to apply to the file.

However, extensions can be an unreliable way to implement document security because they often stop working due to updates or conflicts with other extensions.  This causes inconvenience for the user and can mean some extensions stop enforcing their controls completely.  Microsoft Office users can also install extensions from any source, which could lead to situations where an extension is used to deliberately disable document security.  In fact, third-party plugins are completely unsupported with the AEM Document Security extension for Office, with Adobe admitting the extension will simply break if you try.

Adobe additionally states that it uses “built-in protection features” to protect Office documents, but, as we have already covered, Microsoft Office’s built-in security is deeply flawed and it is not supported by older Office versions.  Extensions and plugins do not have the same control over a user’s operating system as a dedicated application and will therefore always be limited in their ability to prevent copying, editing, and printing.

There are many other security issues:

1. Opening a protected document from SharePoint server will cause all permissions on the document to be disabled, regardless of the Adobe security policy applied.
2. Dynamic watermarks do not work properly on Microsoft Excel 2013, 2016, or 2019.  If a policy is applied to a computer with no printers installed it will present an error and the watermark will not display when saved or when using the “View > Page Layout” feature.
3. Adobe recommends that you disable the Windows Data Execution prevention setting when using the extension, which could introduce security risks.
4. Shared Microsoft Office files cannot be protected.
5. Microsoft PowerPoint allows the editing of protected documents.
6. The extension is only available on Windows 7 or Windows 10, making it useless for any organization with users or partners on macOS or mobile devices.
7. You must disable various McAffee anti-virus features or it will not work.
8. The extension only disables the PrintScreen button while a protected document is open.  Users can still copy a document by using a third-party screen capture application or a different hotkey.

And these are just some of the problems you’ll run into when using the plugin for document security.  The confusion surrounding its features and restrictions will likely lead to an increased load on your IT support, and perhaps a reluctance to secure documents at all.

  Is Adobe Experience Manager secure enough for sensitive documents?

AEM is not suitable for use with sensitive documents since authorized users can still easily share sensitive content with unauthorized ones.  Neither solution appears to do anything to prevent third-party screenshot applications and Adobe’s PDF protection has been proven vulnerable to attack in the past.  The reliance on a third-party plugin for Office 365 security is even more concerning – introducing a whole host of issues, some of which could lead to compromises of system security. The same can be said when using it as a content protection system for digital manuals, books, training courses, and other IP.

So, Adobe Experience Manager is a very useful solution for content management, but not ideal for protecting sensitive or confidential documents.

   Adobe Document Cloud and security

Adobe has another solution that can secure documents: Adobe Document Cloud.  But does it provide better protection?

  What is Adobe Document Cloud?

Adobe Document Cloud is essentially an umbrella term for Adobe’s PDF products, with some free cloud storage thrown in.  It’s designed to help users store, access, and sign PDF documents from any device through the use of Adobe Acrobat, Adobe Acrobat Sign, and Adobe Scan.  Users and enterprises can create a document hub that enables easy access to create, edit, send, sign, and track PDF documents.

  Is Adobe Document Cloud secure?

Adobe certainly talks up the processes it uses to develop and maintain secure products in its marketing materials.  This despite a litany of past failures in its PDF security and the accidental breach of 2.9 million customers’ passwords in 2013.  Let us put that aside for now, however, and take a look at what it does to protect the PDF documents themselves.

Encryption

When you upload a PDF to the Adobe Document Cloud, it is protected in transit with HTTPS TLS 1.2 encryption and encrypted at rest on the server with strong AES 256-bit encryption, with symmetric keys that are unique to each customer and their domain.  Admins can additionally add an additional layer of protection with a dedicated encryption key for some or all of their domains which can be revoked at will.

So far, then, pretty good, though Adobe makes no claims that your documents will be protected during use or that no temporary files will be left behind after you are done with them.  From here out, though, it starts to get shakier.

Same security, different name

Though Adobe Acrobat Cloud allows you to share documents with users via their Adobe account, this is still ultimately password security, and credentials can be shared.  While it is nice that enterprise subscribers can use federated ID accounts for logins for additional security, this doesn’t help much.  Users can easily remove the restrictions from a PDF and share it after downloading and decrypting it.

This is because Adobe Acrobat secured documents use a flawed permissions password system for content restrictions.  The Adobe security handler allows all editing, printing, and copying restrictions to be removed.  An authorized user can therefore share the document by printing it to a new PDF file or by copy and pasting its contents into another document.  For more information on this, see Cracking Adobe Password Protected PDF Files.

As we have covered previously regarding how secure is Adobe PDF encryption, it’s also possible to extract information from Adobe Acrobat-encrypted PDFs using direct exfiltration and malleability attacks.

Certificates and digital signatures

Adobe Document Cloud also allows you to protect PDFs using certificates.  This represents better security than a username/password, but it doesn’t mitigate the flaws in Adobe’s editing/copying restrictions, which can still be easily removed.

Adobe’s web viewer

Users have the option to view and edit PDFs using the document hub on the Adobe Acrobat site.  However, a browser-based viewer is, if anything, less secure than the desktop one:

• It doesn’t prevent printing or printing to file drivers, as users can just press Ctrl + P.
• You can use an OCR browser extension to copy text.
• Users may be able to manipulate the web application via JavaScript/their browser’s developer mode to retrieve a copy of the file.
• Users can download a browser extension to automate screenshots of every page.
• You can download any file and remove the editing protection through standard PDF password removal programs.
• You can convert protected PDFs to other formats.

So, while useful for enabling PDF viewing/editing on any device, the web app only reduces security.

  Is Adobe Cloud secure enough for sensitive documents?

Clearly, no.  It’s far too easy for authorized users to remove Adobe’s PDF security and share the contents of the document with unauthorized parties.  On top of this, it means uploading your files to a remote server space that is not under your control and where you don’t have full transparency surrounding file deletion or other security measures.  Given Adobe’s dubious security record, that does not seem wise.

   Document protection that works

Locklizard’s PDF protection does not rely on plug-ins, web viewers, password protection, or Adobe Acrobat permissions.  It protects files without passwords or certificates, instead locking PDFs to specific devices with a combination of AES 265-bit encryption, licensing, DRM controls, and a secure viewer application.

This allows it to prevent:

• Unauthorized users from opening files:  Users can only open a PDF if they have a valid license file activated on their PC or mobile device.  A license file can only be installed on one device (unless otherwise authorized).
• Authorized users from sharing a file’s encryption key:  The keystore is encrypted and does not function if moved or copied to another device.
• Content extraction:  Copy and paste, screenshotting (first or third-party), and PDF printing are disabled by default.  Physical printing can also be disabled or limited.
• Editing:  The Safeguard PDF viewer application does not have editing functionality built-in.  Users cannot open PDFs protected with Safeguard in any other application, nor can they extract the content, and therefore they cannot edit the file.
• Printing:  Prevent printing or limit prints to a certain number of copies, enforce black and white, or grayscale.
• Use after a defined period:  Safeguard PDF allows you to expire documents after a certain date, number of days from first open, number of prints, or number of opens.  You can also revoke PDF access manually at any point.
• The sharing of phone pictures and printed copies:  Locklizard Safeguard comes with a dynamic watermarking system.  You can protect a document with a watermark and add variables like name and email address.  These variables will then be automatically adjusted to match the user when they open the document.  They won’t be able to share any version of it without having their name and email address clearly on show.  Unlike Adobe watermarks that can be simply removed, Locklizard’s watermarking is permanent.
• Untraceable usage:  Monitoring tools allow you to see how many times your document was opened and printed, by whom, and where from.

You can read about how Safeguard works in detail here to see how it stacks up against Adobe Experience Manager document security or Adobe Document Cloud security features.

Then check out our customer testimonials to see why businesses use Locklizard to protect their intellectual property from unauthorized access, use, and theft.

If you want to protect sensitive information in your digital documents from being copied and shared then take a 15-day free trial of our PDF DRM security software.